はじめに

kubeadmを使用したシングルマスタークラスターの作成

kubeadm helps you bootstrap a minimum viable Kubernetes cluster that conforms to best practices. With kubeadm, your cluster should pass Kubernetes Conformance tests. Kubeadm also supports other cluster
lifecycle functions, such as upgrades, downgrade, and managing bootstrap tokens.

Because you can install kubeadm on various types of machine (e.g. laptop, server,
Raspberry Pi, etc.), it’s well suited for integration with provisioning systems
such as Terraform or Ansible.

kubeadm’s simplicity means it can serve a wide range of use cases:

New users can start with kubeadm to try Kubernetes out for the first time.

Users familiar with Kubernetes can spin up clusters with kubeadm and test their applications.

Larger projects can include kubeadm as a building block in a more complex system that can also include other installer tools.

kubeadm is designed to be a simple way for new users to start trying
Kubernetes out, possibly for the first time, a way for existing users to
test their application on and stitch together a cluster easily, and also to be
a building block in other ecosystem and/or installer tool with a larger
scope.

You can install kubeadm very easily on operating systems that support
installing deb or rpm packages. The responsible SIG for kubeadm,
SIG Cluster Lifecycle, provides these packages pre-built for you,
but you may also build them from source for other OSes.

kubeadmの成熟度

Area

Maturity Level

Command line UX

GA

Implementation

GA

Config file API

Beta

CoreDNS

GA

kubeadm alpha subcommands

Alpha

High availability

Beta

DynamicKubeletConfig

Alpha

kubeadm’s overall feature state is GA. Some sub-features, like the configuration
file API are still under active development. The implementation of creating the cluster
may change slightly as the tool evolves, but the overall implementation should be pretty stable.
Any commands under kubeadm alpha are by definition, supported on an alpha level.

サポート期間

Kubernetes releases are generally supported for nine months, and during that
period a patch release may be issued from the release branch if a severe bug or
security issue is found. Here are the latest Kubernetes releases and the support
timeframe; which also applies to kubeadm.

目的

説明

kubeadmのインストール

If you have already installed kubeadm, run apt-get update &&
apt-get upgrade or yum update to get the latest version of kubeadm.

When you upgrade, the kubelet restarts every few seconds as it waits in a crashloop for
kubeadm to tell it what to do. This crashloop is expected and normal.
After you initialize your master, the kubelet runs normally.

マスターの初期化

The control-plane node is the machine where the control plane components run, including
etcd (the cluster database) and the API server (which the kubectl CLI
communicates with).

Choose a pod network add-on, and verify whether it requires any arguments to
be passed to kubeadm initialization. Depending on which
third-party provider you choose, you might need to set the --pod-network-cidr to
a provider-specific value. See Installing a pod network add-on.

(Optional) Since version 1.14, kubeadm will try to detect the container runtime on Linux
by using a list of well known domain socket paths. To use different container runtime or
if there are more than one installed on the provisioned node, specify the --cri-socket
argument to kubeadm init. See Installing runtime.

(Optional) Unless otherwise specified, kubeadm uses the network interface associated
with the default gateway to advertise the master’s IP. To use a different
network interface, specify the --apiserver-advertise-address=<ip-address> argument
to kubeadm init. To deploy an IPv6 Kubernetes cluster using IPv6 addressing, you
must specify an IPv6 address, for example --apiserver-advertise-address=fd00::101

詳細

To customize control plane components, including optional IPv6 assignment to liveness probe for control plane components and etcd server, provide extra arguments to each component as documented in custom arguments.

If you join a node with a different architecture to your cluster, create a separate
Deployment or DaemonSet for kube-proxy and kube-dns on the node. This is because the Docker images for these
components do not currently support multi-architecture.

kubeadm init first runs a series of prechecks to ensure that the machine
is ready to run Kubernetes. These prechecks expose warnings and exit on errors. kubeadm init
then downloads and installs the cluster control plane components. This may take several minutes.
The output should look like:

The token is used for mutual authentication between the control-plane node and the joining
nodes. The token included here is secret. Keep it safe, because anyone with this
token can add authenticated nodes to your cluster. These tokens can be listed,
created, and deleted with the kubeadm token command. See the
kubeadm reference guide.

Podネットワークアドオンのインストール

注意: This section contains important information about installation and deployment order. Read it carefully before proceeding.

You must install a pod network add-on so that your pods can communicate with
each other.

The network must be deployed before any applications. Also, CoreDNS will not start up before a network is installed.
kubeadm only supports Container Network Interface (CNI) based networks (and does not support kubenet).

Several projects provide Kubernetes pod networks using CNI, some of which also
support Network Policy. See the add-ons page for a complete list of available network add-ons.
- IPv6 support was added in CNI v0.6.0.
- CNI bridge and local-ipam are the only supported IPv6 network plugins in Kubernetes version 1.9.

Note that kubeadm sets up a more secure cluster by default and enforces use of RBAC.
Make sure that your network manifest supports RBAC.

Also, beware, that your Pod network must not overlap with any of the host networks as this can cause issues.
If you find a collision between your network plugin’s preferred Pod network and some of your host networks, you should think of a suitable CIDR replacement and use that during kubeadm init with --pod-network-cidr and as a replacement in your network plugin’s YAML.

For Calico to work correctly, you need to pass --pod-network-cidr=192.168.0.0/16 to kubeadm init or update the calico.yml file to match your Pod network. Note that Calico works on amd64, arm64, and ppc64le only.

For flannel to work correctly, you must pass --pod-network-cidr=10.244.0.0/16 to kubeadm init.

Set /proc/sys/net/bridge/bridge-nf-call-iptables to 1 by running sysctl net.bridge.bridge-nf-call-iptables=1
to pass bridged IPv4 traffic to iptables’ chains. This is a requirement for some CNI plugins to work, for more information
please see here.

Make sure that your firewall rules allow UDP ports 8285 and 8472 traffic for all hosts participating in the overlay network.
see here
.

Note that flannel works on amd64, arm, arm64, ppc64le and s390x under Linux.
Windows (amd64) is claimed as supported in v0.11.0 but the usage is undocumented.

Set /proc/sys/net/bridge/bridge-nf-call-iptables to 1 by running sysctl net.bridge.bridge-nf-call-iptables=1
to pass bridged IPv4 traffic to iptables’ chains. This is a requirement for some CNI plugins to work, for more information
please see here.

Kube-router relies on kube-controller-manager to allocate pod CIDR for the nodes. Therefore, use kubeadm init with the --pod-network-cidr flag.

For information on setting up Kubernetes cluster with Kube-router using kubeadm, please see official setup guide.

Set /proc/sys/net/bridge/bridge-nf-call-iptables to 1 by running sysctl net.bridge.bridge-nf-call-iptables=1
to pass bridged IPv4 traffic to iptables’ chains. This is a requirement for some CNI plugins to work, for more information
please see here.

Set /proc/sys/net/bridge/bridge-nf-call-iptables to 1 by running sysctl net.bridge.bridge-nf-call-iptables=1
to pass bridged IPv4 traffic to iptables’ chains. This is a requirement for some CNI plugins to work, for more information
please see here.

Weave Net works on amd64, arm, arm64 and ppc64le without any extra action required.
Weave Net sets hairpin mode by default. This allows Pods to access themselves via their Service IP address
if they don’t know their PodIP.

Once a pod network has been installed, you can confirm that it is working by
checking that the CoreDNS pod is Running in the output of kubectl get pods --all-namespaces.
And once the CoreDNS pod is up and running, you can continue by joining your nodes.

If your network is not working or CoreDNS is not in the Running state, checkout our troubleshooting docs.

コントロールプレーンノードの隔離

By default, your cluster will not schedule pods on the control-plane node for security
reasons. If you want to be able to schedule pods on the control-plane node, e.g. for a
single-machine Kubernetes cluster for development, run:

kubectl taint nodes --all node-role.kubernetes.io/master-

With output looking something like:

node "test-01" untainted
taint "node-role.kubernetes.io/master:" not found
taint "node-role.kubernetes.io/master:" not found

This will remove the node-role.kubernetes.io/master taint from any nodes that
have it, including the control-plane node, meaning that the scheduler will then be able
to schedule pods everywhere.

ノードの追加

The nodes are where your workloads (containers and pods, etc) run. To add new nodes to your cluster do the following for each machine:

The example above assumes SSH access is enabled for root. If that is not the
case, you can copy the admin.conf file to be accessible by some other user
and scp using that other user instead.

The admin.conf file gives the user superuser privileges over the cluster.
This file should be used sparingly. For normal users, it’s recommended to
generate an unique credential to which you whitelist privileges. You can do
this with the kubeadm alpha kubeconfig user --client-name <CN>
command. That command will print out a KubeConfig file to STDOUT which you
should save to a file and distribute to your user. After that, whitelist
privileges by using kubectl create (cluster)rolebinding.

(任意) APIサーバーをlocalhostへプロキシ

If you want to connect to the API Server from outside the cluster you can use
kubectl proxy:

次の手順

Configure log rotation. You can use logrotate for that. When using Docker, you can specify log rotation options for Docker daemon, for example --log-driver=json-file --log-opt=max-size=10m --log-opt=max-file=5. See Configure and troubleshoot the Docker daemon for more details.

kubeadmは様々なプラットフォームで動く

kubeadm deb/rpm packages and binaries are built for amd64, arm (32-bit), arm64, ppc64le, and s390x
following the multi-platform
proposal.

Multiplatform container images for the control plane and addons are also supported since v1.12.

Only some of the network providers offer solutions for all platforms. Please consult the list of
network providers above or the documentation from each provider to figure out whether the provider
supports your chosen platform.

制限事項

The cluster created here has a single control-plane node, with a single etcd database
running on it. This means that if the control-plane node fails, your cluster may lose
data and may need to be recreated from scratch.

Workarounds:

Regularly back up etcd. The
etcd data directory configured by kubeadm is at /var/lib/etcd on the control-plane node.